Digital Trusted Platform Modules (vTPM) in Hyper-V let you run visitor working programs, corresponding to Home windows 11 or Home windows Server 2025 with security measures enabled. One of many challenges of vTPMs is that they depend on certificates on the native Hyper-V server. Nice when you’re solely working the VM with the vTPM on that server, however a attainable reason for points if you wish to transfer that VM to a different server.
On this article I’ll present you how one can handle the certificates which are related to vTPMs so that you just’ll be capable of export or transfer VMs that use them, corresponding to Home windows 11 VMs, to any ready Hyper-V host you handle.
When a vTPM is enabled on a Era 2 digital machine, Hyper-V robotically generates a pair of self-signed certificates on the host the place the VM resides. These certificates are particularly named:
- “Shielded VM Encryption Certificates (UntrustedGuardian)(ComputerName)”
- “Shielded VM Signing Certificates (UntrustedGuardian)(ComputerName)”.
These certificates are saved in a novel native certificates retailer on the Hyper-V host named “Shielded VM Native Certificates”. By default, these certificates are provisioned with a validity interval of 10 years.
Â
For a vTPM-enabled digital machine to efficiently reside migrate and subsequently begin on a brand new Hyper-V host, the “Shielded VM Native Certificates” (each the Encryption and Signing certificates) from the supply host have to be current and trusted on all potential vacation spot Hyper-V hosts.
Exporting vTPM associated certificates.
You’ll be able to switch certificates from one Hyper-V host to a different utilizing the next process:
- On the supply Hyper-V host, open mmc.exe. From the “File” menu, choose “Add/Take away Snap-in…” Within the “Add or Take away Snap-ins” window, choose “Certificates” and click on “Add.” Select “Pc account” after which “Native Pc”.
- Navigate by way of the console tree to “Certificates (Native Pc) > Private > Shielded VM Native Certificates”.
- Choose each the “Shielded VM Encryption Certificates” and the “Shielded VM Signing Certificates.” Proper-click the chosen certificates, select “All Duties,” after which click on “Export”.
- Within the Certificates Export Wizard, on the “Export Non-public Key” web page, choose “Sure, export the non-public key”. The certificates are unusable for his or her supposed goal with out their related non-public keys.
- Choose “Private Data Change – PKCS #12 (.PFX)” because the export file format. Choose “Embrace all certificates within the certification path if attainable”. Present a powerful password to guard the PFX file. This password shall be required throughout the import course of.
To carry out this course of utilizing the command line, show particulars of the certificates within the “Shielded VM Native Certificates” retailer, together with their serial numbers.
certutil -store "Shielded VM Native Certificates"
Use the serial numbers to export every certificates, making certain the non-public key’s included. Change
certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"C:TempVMEncryption.pfx certutil -exportPFX -p "YourSecurePassword" "Shielded VM Native Certificates"
C:TempVMSigning.pfx Importing vTPM associated certificates
To import these certificates on a Hyper-V host that you just need to migrate a vTPM enabled VM to, carry out the next steps:
- Switch the exported PFX information to all Hyper-V hosts that may function potential reside migration targets.
- On every goal host, open mmc.exe and add the “Certificates” snap-in for the “Pc account” (Native Pc).
- Navigate to “Certificates (Native Pc) > Private.” Proper-click the “Private” folder, select “All Duties,” after which click on “Import”.
- Proceed by way of the Certificates Import Wizard. Make sure the certificates are positioned within the “Shielded VM Native Certificates” retailer.
- After finishing the wizard, confirm that each the Encryption and Signing certificates now seem within the “Shielded VM Native Certificates” retailer on the brand new host.
You’ll be able to accomplish the identical factor utilizing PowerShell with the next command:
Import-PfxCertificate -FilePath "C:BackupCertificateName.pfx" -CertStoreLocation "Cert:LocalMachineShielded VM Native Certificates" -Password (ConvertTo-SecureString -String "YourPassword" -Drive -AsPlainText)
Updating vTPM associated certificates.
Self signed vTPM certificates robotically expire after 10 years. Resetting the important thing protector for a vTPM-enabled VM in Hyper-V permits you alter or renew the underlying certificates (particularly if the non-public key modifications). Listed here are the necessities and issues round this course of:
- The VM have to be in an off state to alter safety settings or reset the important thing protector
- The host will need to have the suitable certificates (together with non-public keys) within the “Shielded VM Native Certificates” retailer. If the non-public key’s lacking, the important thing protector can’t be set or validated.
- At all times again up the VM and current certificates earlier than resetting the important thing protector, as this course of could make beforehand encrypted information inaccessible if not carried out accurately.
- The VM have to be at a supported configuration model (usually model 7.0 or larger) to help vTPM and key protector options.
To avoid wasting the Present Key Protector: On the supply Hyper-V host, retrieve the present Key Protector for the VM and reserve it to a file.
Get-VMKeyProtector -VMName 'VM001' | Out-File '.VM001.kp'
To reset the important thing protector with a brand new native key protector:
Set-VMKeyProtector -VMName "" -NewLocalKeyProtector
This command instructs Hyper-V to generate a brand new key protector utilizing the present native certificates. After resetting, allow vTPM if wanted:
Allow-VMTPM -VMName ""
It is very important be aware that if an incorrect Key Protector is utilized to the VM, it could fail to start out. In such circumstances, the Set-VMKeyProtector -RestoreLastKnownGoodKeyProtector cmdlet can be utilized to revert to the final identified working Key Protector.
Extra info: Set-VMKeyProtector: https://study.microsoft.com/en-us/powershell/module/hyper-v/set-vmkeyprotector
